October 24, 2003 - In a reply to a question asked by a new FirstClass Administrator on FirstClass Online, Bryan Friberg of Adams 12 Schools in Northglenn, CO wrote the following. We thought you would find it interesting as it brings together in one message several important points about protecting your FirstClass Post Office.
New FirstClass Administrator writes:
I am fairly new to FC and would love to hear of recommended do's and don'ts with regards to FC PO's. (perticularily regular maintenance)
1. Do not allow other software to touch the PO file system. FC has it's own file system which is controlled by several indexes that take directory entries like: G:\FCPO\U\20.10\15939.10\ACD599ED.M18 and turn 'em into an object, like an address entry in an address book. The server software needs total exclusive access to this directory structure so you MUST turn off indexing software, antivirus software, tape backup software, etc. etc. that could open or delete or move a file. Tape backup software, for example, won't move a file but will attempt to open and change a file's archive bit... and since FC keeps the files open (and in most cases cached), making a backup of a running PO is worthless anyhow. Make sure nothing other than FC touches the file system under FCPO on any of your production drives. Antivirus programs, for example, can be "educated" so that they never scan FCPO but perhaps scan the OS partition (which can be a good thing). But IMHO, FC is the ONLY software that should be running on the FC PO machine.
Now, one of the many joys of administrating FC is that, when a file does get destroyed by the OS, you won't generally lose anything other than that object. Statistically, the object that gets mangled will be an individual mail or an attachment... a single mail or attachment. So, if the user ever clicks on that object again (which they most likely won't), they will get an error, and you will get an warning when running diagnostics. But the client or server won't crash, the planet won't stop spinning, they just won't be able to read that old mail.
Unix / Linux / OSX file systems have built-in protections from file mangle-ism, Windows does NOT. Older MAC OS's had trouble with too many files.. newer one's don't.
2. Protect the file system with some type of RAID. I like RAID 1, others like 5. As long as it's hardware RAID. RAID also speeds up the READS which will greatly improve performance since WRITES are small and dynamic... i.e. the user is not waiting for anything to be written, they are waiting for the next object to open, which is a READ.
3. Open only the ports that you need. Your FC server doesn't have to be a file server, or have any kind of print capability, etc. etc... turn all of that junk OFF. Close everything except for the ports that you need based on your application. The PO needs 510, 810 and 3000-3005 (for older MAC clients). IS, on the other hand, has a bunch of ports based on the services that you enable... 25 for mail, 80 for web, NNTP (news), POP3 (other email clients), FTP (file transfer protocol), IMAP4 and LDAP.
4. Add that second processor. If you want to run anything other than the PO or IS on a machine, you need a second processor. They are typically inexpensive.
5. Add a pile of RAM. Just get a shovel and shovel it in.... before RAM prices go up again.
6. Consider separate machines for the PO and IS. Simply because you will be rebooting IS on a regular basis. AND you can install AV gateway software on the IS machine, or have a different security policy for that machine (like have it in the DMZ) while the PO is NOT on the DMZ. The IS machine doesn't have any file structure like the PO machine does in #1 so it is a good candidate for AV software. The PO machine only has a few, non-standard ports open, so it doesn't get hacked much- the PO is not a very good target for hackers... the IS machine is a REALLY GOOD target because it has port 80 and 25 open.
7. Setup a mirror drive. Mirror your PO to a mirror drive, pause the mirror, then backup the mirror file to tape or ?. Internal mirror drives run fast and can offload processing from the CPU if you have a really intelligent RAID card, but will be useless if the entire machine gets stolen. If you have concerns about off-site, put the mirror drive in a server in another building. Then if you lost the primary server, you could load the server software, rename the mirror drive subdir's and be up in minutes.
-Check the Centrinity web site and user groups for patches and load them on a regular basis. Wait until 50% of the group has done it first, then do yours- watch for comments in the user groups.
-Reboot IS machine.
-Clear the DNS cache if using Windows for DNS.
-Check logs for successful mirror completion and for serious errors.
-Ask questions and help others on the conference. Post success stories too.
-Send bright ideas to "Enhancement Suggestions".
-Reboot the PO machine (unless you are using Unix / Linux / OSX- then possibly never).
-Run a script every 6 months that changes everybody's reply pref. to "Reply Sender".
-Consider a script that changes background graphic and resets icon positions in order to highlight new services and keep things "fresh".
-Consider forcing a global password change.
-Balance the directory once a year if you have a lot of users.
-Change the admin password.
-Replace hard drives.
-Replace the server.
-Take the admin class again.
Bryan L. Friberg, Sr.
Senior Programmer, District Webmaster
Adams 12 Five Star School District
Bryan offers to discuss any of this if you wish to contact him, he can be reached via his account on FirstClass Online.
There is one addition to Bryan's message. In 3. above port 810 is a UDP port, not TCP, and if you are using FirstClass Notifier, UDP ports above 1024 need to be opened to allow users outside your firewall to receive notifications.
News Service © 2003 Acorn MicroSolutions Inc.
FirstClass logos and original content © 2003 Open Text Corporation